4

I have a simple site-to-site IPSec VPN where "server-A" is connected to a "fw-A" over an IPSec tunnel. In front of "server-A" there is a switch with has a 1500 byte MTU interface facing the server. Sometimes clients behind "fw-A" send large packets to "server-A" and server replies with ICMP "unreachable; frag needed" messages:

11:19:22.309296 IP 10.10.10.135 > 192.168.100.4: ICMP 10.10.10.135 unreachable - need to frag (mtu 1438), length 36

10.10.10.135 is the IP address on "server-A" eth0 interface and 192.168.100.4 is the IP address of the end-client.

Am I correct that ICMP "unreachable; frag needed" messages are sent only in case (server acting as) a router wants to route a package to another interface, but this interface has a smaller MTU than the package and router is not allowed to fragment this package because DF flag is set? If yes, then "server-A" does not do any routing. Simply the package should traverse routing decision twice- first time when package has ESP header and second time when it doesn't. In both occasions destination is 10.10.10.135 and MTU for this path should be 65536 bytes:

# ip route get 10.10.10.135
local 10.10.10.135 dev lo  src 10.10.10135
    cache <local>
# ip link show dev lo
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
#

Could somebody explain this behavior?

Martin
  • 7,516
  • 1
    There are two or three answers here http://stackoverflow.com/questions/6360916/do-mtu-modifications-impact-both-directions basically stating that "setting mtu will reject larger payloads received on this interface". However no source for this claim is linked. Anyway, hope it helps. – VPfB Feb 14 '17 at 16:28
  • It could be a DF or possibly upon splitting and re-wrapping the packets 1500 is exceeded. Where are the logs coming from? The application, client, switch, or server? – jayson Feb 16 '17 at 18:02
  • @VPfB Unfortunately, this doesn't help. I understand how MTU works. However, I don't fully understand why there seems to be a routing decision in the day in the life of an Encapsulating Security Payload(ESP) packet in Linux. In addition, even if there is a routing decision, then the MTU should be 64KB, as shown in my initial post. @jayson Why should package increase in size when ESP header is stripped of.. What logs? If you mean the ICMP unreachable; frag needed message in my initial post, then this is a tcpdump output. – Martin Feb 20 '17 at 08:35
  • @Martin Assuming the answers are correct, packets larger than MTU of incoming interface are thrown away immediately. No routing decision is done, no other MTU is taken in account. – VPfB Feb 20 '17 at 11:59
  • @VPfB Yes, frames which are larger than interface MRU(Maximum Receive Unit) are thrown away immediately. However, in my case the frame is definitely not thrown away and (for some reason) "server-A" tries to route it. – Martin Feb 20 '17 at 12:18
  • @Martin It seems to me that I do understand the situation somehow differently than you. I'm sorry that I could not help. – VPfB Feb 20 '17 at 12:54
  • @VPfB There is no need to be sorry about that. Thanks anyway! – Martin Feb 20 '17 at 12:57

0 Answers0